Documentation ¶
Overview ¶
Package jar implements JAR scanning capabilities for log4j.
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewReader ¶ added in v0.2.0
NewReader is a wrapper around zip.NewReader that supports self-executable JARs. JAR files with prefixed data, such as a bash script to allow them to run directly.
If the ZIP contains a prefix, the returned offset indicates the size of the prefix.
See: - https://kevinboone.me/execjava.html - https://github.com/golang/go/issues/10464
func Rewrite ¶
Rewrite attempts to remove any JndiLookup.class files from a JAR.
Rewrite does not account for self-executable JARs and does not preserve the file prefix. This must be explicitly handled, or use RewriteJAR() to do so automatically.
zr, offset, err := jar.NewReader(ra, size) if err != nil { // ... } dest, err := os.CreateTemp("", "") if err != nil { // ... } defer dest.Close() if offset > 0 { // Rewrite prefix. src := io.NewSectionReader(ra, 0, offset) if _, err := io.CopyN(dest, src, offset); err != nil { // ... } } if err := jar.Rewrite(dest, zr); err != nil { // ... }
Types ¶
type Parser ¶ added in v0.3.0
type Parser struct { // MaxDepth is the maximum depth of recursive archives below // the top level that will be unpacked. Default is 16. MaxDepth int // MaxBytes is the maximum size of files that will be // read into memory during scanning. Default is 4GiB. MaxBytes int64 // Name is the name of the file being parsed. Default is "". Name string // FileError can be used to handle errors for a JAR file. // When checking a file returns an error other than // fs.SkipDir, FileError will be called with the offending // path and error. If FileError returns nil, checking will // continue. Otherwise, checking will abort. Default is to // abort checking whenever err != nil. FileError func(path string, err error) error }
Parser allows tuning paramters of a vulnerable log4j scan. The zero value provides reasonable defaults.
type ReadCloser ¶ added in v0.2.0
ReadCloser mirrors zip.ReadCloser.
func OpenReader ¶ added in v0.2.0
func OpenReader(path string) (r *ReadCloser, offset int64, err error)
OpenReader mirrors zip.OpenReader, loading a JAR from a file, but supports self-executable JARs. See NewReader() for details.
func (*ReadCloser) Close ¶ added in v0.2.0
func (r *ReadCloser) Close() error
Close closes the underlying file.
type Report ¶
type Report struct { // Vulnerable reports if a vulnerable version of the log4j is included in the // JAR and has been initialized. // // Note that this package considers the 2.15.0 versions vulnerable. Vulnerable bool // Vulns gives details on the individual vulnerabilities detected. Vulns []*Vuln // MainClass and Version are information taken from the MANIFEST.MF file. // Version indicates the version of JAR, NOT the log4j package. MainClass string Version string }
Report contains information about a scanned JAR.
type Vuln ¶ added in v0.5.0
type Vuln struct { // CVE is the CVE ID of the vulnerability. CVE string }
Vuln reports details of a vulnerability detected.
type Walker ¶
type Walker struct { // Rewrite indicates if the Walker should rewrite JARs in place as it // iterates through the filesystem. Rewrite bool // SkipDir, if provided, allows the walker to skip certain directories // as it scans. SkipDir func(path string, de fs.DirEntry) bool // HandleError can be used to handle errors for a given directory or // JAR file. HandleError func(path string, err error) // HandleReport is called when a JAR is determined vulnerable. If Rewrite // is provided, this is called before the Rewrite occurs. HandleReport func(path string, r *Report) // HandleRewrite is called when a JAR is rewritten successfully. HandleRewrite func(path string, r *Report) // Parser will be used when checking JARs, if provided. If // unset, a Parser with sensible defaults will be created. Parser *Parser }
Walker implements a filesystem walker to scan for log4j vulnerable JARs and optional rewrite them.